[aprssig] aprsis DOS in Poland, observation

Mobilinkd LLC mobilinkd at gmail.com
Sat Sep 5 13:07:10 EDT 2020

Would it be worthwhile discussing whether to use PKI for APRS-IS

I just discovered that there is a registered X.509 extension for ham radio
callsigns and that we already have a CA in LOTW.


Kind Regards,

Rob Riggs WX9O
Mobilinkd LLC

On Sat, Sep 5, 2020 at 6:15 AM Heikki Hannikainen <hessu at hes.iki.fi> wrote:

> On Fri, 4 Sep 2020, Bill Vodall wrote:
> > Is aprs-is under a Denial of Services attack by jankesi and others?
> > Looks like multiple packets arriving every second.
> The packet rate during the DOS abuse event last night was some 1500-1700
> packets per second at peak.
> https://www.dropbox.com/s/tztvaup286vzwnb/aprsfi-polish-abuse-20200904-traffic.png?dl=0
> Some APRS-IS clients on the full feed could not take this traffic (too
> slow to process, or too slow network, buffers fill up) and got
> disconnected. As a network traffic rate, it was only around 1.4 Mbit/s sec
> though. Due to a bug, the two APRS-IS data aggregator aprsc instances at
> aprs.fi crashed too, leaving aprs.fi without a data feed.
> This is how it looked on the map, screen shot courtesy of Mateusz Szyper
> on the aprs.fi discussion group:
> https://www.dropbox.com/s/5wbjtttkkw1munh/aprs-polish-abuse-20200904-map.jpg?dl=0
> And here are a few sample packets, showing what the randomly generated
> packets looked like. The coordinates are random, in Poland, with the
> clear intention of polluting the map fully.
> 2020-09-04 19:48:27 EEST:
> CI37PA>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5031.68N\01844.35EZ jeszcze nie
> dojrzalem.
> 2020-09-04 19:48:46 EEST:
> CI371PY-3>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5248.72N/01933.83EX sie draznic z
> ludzmi.
> 2020-09-04 19:45:58 EEST:
> CI37PA-21>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5411.38N\01600.85E-2 Jebane kurwy
> cebulaki.
> 2020-09-04 19:48:56 EEST:
> CI37PA-20>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5051.97N/01543.24Eb masz, masz.
> 2020-09-04 19:49:26 EEST:
> CI37PA-88>APDR16,WIDE3-3,qAC,SQ6KPO-1:=5002.85N/02147.17Ec pomarancza kurwo
> niebieska.
> Here's more, each source callsign emitted packets at random coordinates
> with comments from some pool of (obscene) text, so you can just pick one
> call and watch:
> https://aprs.fi/?c=raw&limit=&call=CI37PA-9
> I haven't looked at a large data set yet; these samples were from a very
> small set of a thousand packets that I took a quick look at now. These
> packets were injected using an igate call of SQ6KPO-1 but there's no
> reason why that could not be a random call in the future. Also, it would
> be *very* unlikely that SQ6KPO is the callsign of the person doing this
> abuse - it is more likely that the intention is to abuse him by using his
> callsign.
> It's easy to write a client to do this kind of abuse, and easy to improve
> it (make more things random), and after that it's quite difficult to fully
> filter.
> This is just to describe what happened, and what you should expect to see
> in the future. We've been lucky to have very little abuse and DOS attacks
> so far.
>    - Hessu
> _______________________________________________
> aprssig mailing list
> aprssig at lists.tapr.org
> http://lists.tapr.org/mailman/listinfo/aprssig_lists.tapr.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/aprssig_lists.tapr.org/attachments/20200905/5c828463/attachment.html>

More information about the aprssig mailing list